Cisco compatible extensions, version 4, Cisco compatible extensions, version 4 (ccxv4) – Intel 3945ABG User Manual
Page 82
❍
Prompt for the user name and password: Prompts for user name and password
before you connect to the wireless network. The user name and password must first be
set in the authentication server by the administrator.
❍
Use the following user name and password: The user name and password must be
first set in the authentication server by the administrator.
■
User Name: This user name must match the user name that is set in the
authentication server.
■
Domain: Name of the domain on the authentication server. The server name
identifies a domain or one of its sub-domains (for example, zeelans.com, where
the server is blueberry.zeelans.com). NOTE: Contact your administrator to obtain
the domain name.
■
Password: This password must match the password that is set in the
authentication server. The entered password characters display as asterisks.
■
Confirm Password: Reenter the user password.
2. Click OK to save the settings and close the page. Server verification is not required.
Cisco Compatible Extensions, Version 4 (CCXv4)
To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 4 (CCXv4):
1. Click Profiles on the Intel PROSet/Wireless main window.
2. On the Profile page, click Add to open the Create Wireless Profile Wizard's General Settings.
3. Wireless Network Name (SSID): Enter the network identifier.
4. Profile Name: Enter a descriptive profile name.
5. Operating Mode: Click Network (Infrastructure).
6. Click Next to open the Security Settings.
7. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
8. Data Encryption: Select one of the following:
❍
TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
❍
AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data
encryption method whenever strong data protection is important.
9. Data Encryption: Select AES-CCMP.
10. Enable 802.1x: Selected.
11. Authentication Type: Select EAP-FAST to be used with this connection.
Step 1 of 3: EAP-FAST Provisioning
With CCXv4, EAP-FAST supports two modes for provisioning:
●
Server-Authenticated Mode: Provisioning inside a server authenticated (TLS) tunnel.
●
Server-Unauthenticated Mode: Provisioning inside an unauthenticated (TLS) tunnel.
NOTE: Server-Authenticated Mode provides significant security advantages over Server-
Unauthenticated Mode even when EAP-MSCHAPv2 is being used as an inner method. This mode
protects the EAP-MSCHAPv2 exchanges from potential Man-in-the-Middle attacks by verifying the
server’s authenticity before exchanging MSCHAPv2. Therefore, Server-Authenticated Mode is
preferred whenever it is possible. EAP-FAST peer must use Server-Authenticated Mode whenever a
certificate or public key is available to authenticate the server and ensure the best security practices.
Provisioning of Protected Access Credentials (PAC):
EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are
identified by an authority identity (A-ID). The local authenticator sends its AID to an authenticating client, and
the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new PAC.